March 03, 2010

Open Identity Exchange Proposes Identity Trust Framework

Today, at the RSA conference, the Open Identity Exchange (OIX), aimed to increase trust in online identities, and backed by the OpenID and Information Card Foundations, announced its inception. In parallel, the U.S. Government is recognizing multiple technology companies as meeting federal standards for identity assurance, including Google, PayPal and Equifax, essentially securing users' ability to register and log in at federal Web sites with credentials from each of those services.

Goals of the Open Identity Exchange include building online users' trust and confidence in the exchange of identity credentials, standardizing these interactions and reducing hassle with online logins, registrations and purchases. As practically any Web user knows, frustrations with remembering scads of online user names and passwords, each corresponding with different sites with varying trust levels, can be a complete pain - no matter how much effort is taken to standardize, and the alternative, keeping one password for multiple services, which many do, has many more problems of its own.

OIX and its members are looking to reduce the problems with today's Web and move toward further highlighting open standards. Founding members of OIX, a non-profit corporation, include Booz Allen Hamilton, CA, Equifax, Google, PayPal, Verisign and Verizon.

The Often Complicated Process of Assessing Trusted Identity Online

Google's participation in the exchange follows the company's hirings of some of the more vocal advocates of OpenID and the open movement in general, including Chris Messina and Joseph Smarr. Earlier this week, a Google spokesperson wrote by e-mail that the inclusion of the company as part of OIX's launch should not come as much of a surprise.

"As you probably know, Google has long supported and contributed to the development of identity standards such as OpenID and OAuth, largely in order to increase online security by reducing the reliance on password use across websites." they wrote.

A white paper on the new OIX Web site, entitled "An Open Market Solution for Online Identity Assurance", explains how open identity technologies, including OpenID and Information Cards, serve to take closed user name and password systems deployed by most Web sites and expand them to accept identities issued by other parties, such as Google, PayPal and Equifax. Much of the paper, and OIX's mission, centers around the issues surrounding identity, including social, business, legal and emotional, such as trust.

This model of trust is explained in a second piece which defines a new "Open Identity Trust Framework (OITF)". The OITF paper shows holes in today's trust frameworks, and questions how people passing along personally identifiable information can be sure their data is protected with acceptable technical, operational and legal safeguards, while proposing a structured role for policymakers, providers, assessors, auditors, and dispute resolvers, to be sure that all participants are acting in a trusted manner. It may seem overly bureaucratic, but considering the Federal government needs to accept its findings, process is a good thing.

Lest you think this just yet another association or bureaucracy with talking heads looking to grease the skids of online growth, see the conclusion of the OITF model paper, where the authors explain a data utopia: " Imagine that the OITF model takes off and identity aspects of all digital communications become reliant on this new layer of the Internet. Society could become dependent on this type of infrastructure for collective action. The authors want to make it clear that trust frameworks for identity information portend to be so important for the future information society that they warrant extensive scrutiny, participation, and feedback from a wide representation of stakeholders. "